Description
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
--- Update April 11, 2003 ---
A new variant is found. It drops the following files:
| File name |
File Size |
Type |
| Dvldr32.exe |
802,824 bytes |
the worm |
| inst.exe |
684,562 bytes |
trojan dropper RemoteAdmin.dr |
| hypertrm.exe |
241,664 bytes |
Remote Administration tool detected as RemoteAdmin.svr |
| AdmDll.dll |
90,112 bytes |
file used by RemoteAdmin.svr |
| raddrv.dll |
29,408 bytes |
file used by RemoteAdmin.svr |
| psexec.exe |
36,352 bytes |
Remote Process Launch application RemoteProcessLaunch (UPX packed and therefore detected as IRC/Flood.i with the 4232 DATs and higher) |
|
The following files are associated with this threat:
| File name |
File Size |
Type |
| cygwin1.dll |
944,968 bytes |
innocent file, but used by the IRC bot IRC-Pitchfork |
| dvldr32.exe |
745,984 bytes |
Worm |
| explorer.exe |
212,992 bytes |
Renamed VNC application (see: BackDoor-ARG) |
| inst.exe |
684,562 bytes |
BackDoor-ARG dropper |
| omnithread_rt.dll |
57,344 bytes |
VNC application |
| psexec.exe |
36,352 bytes |
Remote Process Launch application RemoteProcessLaunch (UPX packed and therefore detected as IRC/Flood.i with the 4232 DATs and higher) |
| rundll32.exe |
29,336 bytes |
IRC bot IRC-Pitchfork |
| VNCHooks.dll |
32,768 bytes |
VNC application |
Unusually high outgoing TCP traffic from an infected system to port 445 of remote machines will be caused by this worm, as illustrated in the Sniffer Matrix View below:
![[Sniffer Matrix View of W32/Deloder.worm TCP traffic]](http://vil.nai.com/images/100127c.gif)
Methods of Infection
This worm does not function on Win9x/ME/NT systems. When the main worm component is run, it drops a Backdoor trojan installer (INST.EXE) and a Remote Process Launch application. The worm attempts to copy and execute itself on remote systems, via accessible network shares. The worm tries to connect to the IPC$ share and uses the following passwords:
- 0
- 000000
- 00000000
- 007
- 1
- 110
- 111
- 111111
- 11111111
- 12
- 121212
- 123
- 123123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234qwer
- 123abc
- 123asd
- 123qwe
- 2002
- 2003
- 2600
- 54321
- 654321
- 88888888
- a
- aaa
- abc
- abc123
- abcd
- Admin
- admin
- admin123
- administrator
- alpha
- asdf
- computer
- database
- enable
- foobar
- god
- godblessyou
- home
- ihavenopass
- Internet
- Login
- login
- love
- mypass
- mypass123
- mypc
- mypc123
- oracle
- owner
- pass
- passwd
- Password
- password
- pat
- patrick
- pc
- pw
- pw123
- pwd
- qwer
- root
- secret
- server
- sex
- super
- sybase
- temp
- temp123
- test
- test123
- win
- xp
- xxx
- yxcv
- zxcv
The worm also attempts to drop the trojan installer on the remote system in the following share folders:
- C$\WINNT\All Users\Start Menu\Programs\Startup\inst.exe
- C\WINDOWS\Start Menu\Programs\Startup\inst.exe
- C$\Documents and Settings\All Users\Start Menu\Programs\Startup\inst.exe
The worm also deletes the following shares:
When the DVLDR32.EXE file is run,
PSEXEC.EXE and
INST.EXE are extracted to the local path.
Aliases
Deloder (F-Secure), dlvdr32.exe, W32.HLLW.Deloder (Symantec), W32/Deloder-A (Sophos), Worm.Win32.Deloder (AVP), WORM_DELODER.A (Trend)